Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Good Gravy, That was Quick!

By ewhac in Internet
Mon Jan 21, 2002 at 02:07:47 PM EST
Tags: Internet (all tags)
Internet

Eventually, I hope to don the mantle of sysadmin, when I host my own domain and Web server at the end of my DSL line. Naturally, security is important to me; I don't want my box to be the one that is used to spray the net with crap, so I've been moving slowly, making sure I understand everything I intend to put on the wire. I knew the Internet had become a less friendly place, populated by more and more jerks, but until tonight, I had no idea just how supremely virulent some of them were.


I have a FreeBSD box sitting at the end of a DSL line. This box is intended to eventually become my firewall, Web, and email host for my as-yet-unregistered vanity domain. I've read enough horror stories about boxes being r00t3d that I wasn't about to let mine get hijacked. As such, until I understand how to properly secure the box, I keep it powered off when I'm not actually fiddling with it.

Tonight, I was experimenting with getting my old (Cob-)Web site running under Zope on said box, so it had been up and running for several hours. I was doing most of the experiments through Mozilla on another machine. I popped back to the FreeBSD console, and saw something very worrying. Here's the entry from /var/log/maillog:

Jan 20 21:20:07 www sendmail[493]: g0L5K6b00493: ruleset=check_rcpt, arg1=<robinhood666@arabia.com>, relay=63-198-30-233.globaldatadotcom.com [63.198.30.233], reject=550 5.7.1 <robinhood666@arabia.com>... Relaying denied
Jan 20 21:20:07 www sendmail[493]: g0L5K6b00493: from=<sickdegenerate@hotmail.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=63-198-30-233.globaldatadotcom.com [63.198.30.233]

Thank $(GOD) FreeBSD's 'sendmail' comes configured out of the box to reject relay attempts, or things could have been bad for someone, not the least of which being me. A quick Google search revealed that the attempted relay rapist is one Richard "John" Scott, an unrepentant spammer, who even has a history of posing as a "regular" user and reporting competing spammers to abuse channels.

In the time I was tracking this one down, another, completely different, attempt arrived:

Jan 20 23:10:17 www sendmail[595]: g0L7AHb00595: ruleset=check_rcpt, arg1=<Stop_Open_Relays@StopOpenRelays.com>, relay=30.muad.sttl.sttwa01r1.dsl.att.net [12.102.51.30], reject=550 5.7.1 <Stop_Open_Relays@StopOpenRelays.com>... Relaying denied
Jan 20 23:10:17 www sendmail[595]: g0L7AHb00595: lost input channel from 30.muad.sttl.sttwa01r1.dsl.att.net [12.102.51.30] to MTA after rcpt
Jan 20 23:10:17 www sendmail[595]: g0L7AHb00595: from=<Stop_Open_Relays@hotmail.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=30.muad.sttl.sttwa01r1.dsl.att.net [12.102.51.30]

What makes this particularly astounding to me is that the rape attempt was made on a machine without a DNS name -- just a bare IP number -- and that is turned off 99% of the time. That means these guys probably have roving portscanners that don't even confine their search to DNS MX records, but portscan every IP address they can find, and then make an immediate attempt to exploit it. (I dimly wonder if this constitutes a criminal intrusion attempt.)

This shows that my instinct to keep the box powered off was a good one. But I'm still absolutely floored that a new machine on the net could get attacked by parasites so quickly, especially when that machine has done nothing to draw attention to itself.

I'll be reading those security procedures double-close now. If you ever intend to run your own servers, you should, too.

Schwab

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
What is the most appropriate punishment for spammers?
o Banishment from the net 15%
o Heavy fine 16%
o Imprisonment 3%
o Extreme torture 15%
o Death 2%
o Combination of the above 35%
o None; spamming is a legitimate form of product promotion 2%
o None; spamming is protected by the First Amendment 10%

Votes: 93
Results | Other Polls

Related Links
o Google
o Richard "John" Scott
o Also by ewhac


Display: Sort:
Good Gravy, That was Quick! | 41 comments (33 topical, 8 editorial, 0 hidden)
Interesting... (3.33 / 3) (#4)
by m0rzo on Mon Jan 21, 2002 at 06:25:12 AM EST

Maybe this story would have been better suited to a diary but nevertheless I voted it +1FP.

Being totally honest, I'm not as clued up on IT as I'd like. Of course, I'm perfectly competent in ensuring my own personal PC is secure and running in order but I would be totally lost running a web-server. My main impetus for frequenting Kuro5hin is the socio-political debate and not IT.

That said, I'm sure this article is not just restricted to those running servers online. When I first installed a firewall, I was amazed at the number of mindless little shites who had begun to scan me relentlessly - I wasn't even on IRC.

Prevention is better than cure.


My last sig was just plain offensive.

Had the same problem (4.50 / 2) (#5)
by depok on Mon Jan 21, 2002 at 07:00:14 AM EST

I had a similar experience when reinstalling my w2k server a few months ago. The time it took to install & patch the server with the latest service pack + patches, CodeRed and Nimda got on my system. (the server was "unprotected" for about 20 minutes).
Ok, my fault I realized later. I should have closed all the incoming ports on my router. I learned my lesson well.

koen

death has a thousand faces, they all look familiar to me

I can sympathize (none / 0) (#35)
by DigitalRover on Fri Jan 25, 2002 at 06:28:47 PM EST

I ran an NT4 to 2K upgrade on an office server that I *thought* was completely confined to the office enviro. Wrong! I left in the evening intending to finish the next morning. Overnight it got hit by CodeRed via an old firewall conduit. Fortunately, everything else within the office is well locked down...

From now on new builds stays off the network until they are completely patched and locked down. Even if it's not exposed to the outside.

[ Parent ]
Same here on Solaris / Sendmail (none / 0) (#39)
by sgp on Mon Jan 28, 2002 at 01:37:31 AM EST

At work we own a subnet, I put a machine on a new IP in that subnet - no machine had ever been on that IP address before - and within 15 minutes someone was trying to spam it.
Fortunately I'd made the box pretty secure before putting it there, but I was amazed at the speed in which they found it.

There are 10 types of people in the world:
Those who understand binary, and those who don't.

[ Parent ]

Voted -1 (3.33 / 3) (#6)
by wiredog on Mon Jan 21, 2002 at 08:35:49 AM EST

Due to the "Nothing new to see here" phenomenon but, on further reflection, maybe it should be posted. Because it's so common.

I've come to the conclusion that spam won't be stopped until Bad Things™, legal or otherwise, start happening to spammers.

Peoples Front To Reunite Gondwanaland: "Stop the Laurasian Separatist Movement!"

Exim log. (4.00 / 2) (#9)
by priestess on Mon Jan 21, 2002 at 08:56:03 AM EST

Other than checking that my SMTP wasn't relaying it hadn't really entered my mind to see if anyone was actually trying to send stuff through my machine. Looking through the Exim logs now it seems there have been eleven attempts so far this year, which is quite a few less than your experince would indicate but way more than an unadvertised machine really ought to have I'd have thought.

Most interesting, since I can't be arsed to look up the IP addresses and figure out who these idiots are, would be this one:
2002-01-17 05:13:40 refused relay (host) to <Stop_Open_Relays@StopOpenRelays.com> from <Stop_Open_Relays@hotmail.com> H=30.muad.sttl.sttwa01r1.dsl.att.net (StopOpenRelays) [12.102.51.30]
Presumably someone who's running a script that would have emailed me if I'd agreed to let it relay to itself and told me off. Never really sure if abusing a system to see if it can be abused is a good plan, but I guess it beats doing nothing.

Pre.........

----
My Mobile Phone Comic-books business
Robots!
ORBS (3.50 / 2) (#13)
by J'raxis on Mon Jan 21, 2002 at 12:26:46 PM EST

This is exactly how ORBS used to work (they’re gone now); they would send out test probes like this to see if relays were open.

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Well... (3.66 / 3) (#10)
by DeadBaby on Mon Jan 21, 2002 at 09:20:58 AM EST

I'd like to point out that you're seeing attacks on a machine that's not even online often with an OS and mail server that a tiny fraction of the people on the internet are using. Now, think about script kiddies all over the world doing this same thing to Windows machines online 24x7, easily found all over the internet - often with users who wouldn't even consider installing patches.

Keep that in mind next time you think Windows is unsecure. If script kiddies decided that BSD and Linux users would be more fun to play with - and if there were enough of them to make it viable... they could do just as much damage on any OS. Security isn't a Windows or UNIX issue, it's a hacker issue. As long as you allow people to get away with doing this stuff no OS will ever be secure.


"Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity -- in all this vastness -- there is no hint that help will come from elsewhere to save us from ourselves. It is up to us." - Carl Sagan
Um. No. (4.00 / 1) (#37)
by Shovas on Sat Jan 26, 2002 at 10:26:34 AM EST

Greetings,
"Security isn't a Windows or UNIX issue, it's a hacker issue. As long as you allow people to get away with doing this stuff no OS will ever be secure."
This is one of the most spewed fallicies of the FUD talk referring to alternative OS'. As I'm sure you've noticed, this author's BSD system came defaulted NOT to allow open relaying. But not only this, the level of maturity and auditing done on these OS' internals is of a much greater level of quality than Microsoft's Windows. Saying that if the numbers for *nix and Windows machines were reversed, you'd see just as much actual harm done with Unix as Windows, is completely unfounded and is pop-rhetoric for those who haven't looked into alternative OS' to realize what they're saying.

The track history of the Unices speak for itself. Virii and worms on *nix? Sure. You and I have both heard of them. But to a much lesser extent than windows for simple precautionary reasons, such as the secure by default route, not running as root all the time, simply having multiple users, and, last but not least, having an open code base open to auditing along with a bug tracking community which releases information 10fold the rate of closed-source applications, even though there are certainly more and worse bugs in these.

No harm was done with the author's install of BSD. This is far from what would've happened with a default install of almost any Microsoft Windows version. It 'irks' me that people think it's a numbers game. ;) The philosophy behind *nix systems(and especially Open Source Software) develops some inherent variation in operation, features and design methods, which generally lead to a better system as it concerns security. Windows is far from being similar to Linux, and these differences mean the world in security.

Farewell,
---
Join the petition: Rusty! Make dumped stories & discussion public!
---
Disagree? Post. Don't mod.
[ Parent ]
Rooting story (4.33 / 3) (#12)
by marx on Mon Jan 21, 2002 at 11:23:45 AM EST

Hah! This is nothing! Someone managed to root my box over a dial-up line. This is in Europe, where local phone calls are metered, so the line was only up 2-3h/day. I wanted to switch to another virtual console, and my root password had stopped working. I got suspicious and checked ps, and someone (a script probably) was compiling eggdrop!

As long as the intent is not really malicious, I just think it's fun to experience things like this. The good thing with Linux and similar OSes is that you can track these kinds of things through the logs (well, usually not successful attempts, the logs can be forged), and quite easily learn how to fix or assess your security. It's one thing to abstractly think of hackers roving around on the net, but something completely different to see detailed logs of continuous hacking attempts on your own anonymous box.

Join me in the War on Torture: help eradicate torture from the world by holding torturers accountable.

Similar story (3.50 / 2) (#18)
by fluffy grue on Mon Jan 21, 2002 at 05:56:30 PM EST

Back when Slackware 3.1 was still considered new, I was running Slack 3.1 on a machine with a 14.4kbps connection. One evening I started getting a lot of mail directed to root at my IP address complaining about a spammer, as well as a lot of postmaster bounces. Turns out that someone found my crappy default relay-allowing Sendmail configuration and was using my paltry 14.4kbps connection to spam with. It was very annoying. I very quickly found documentation on how to disable relaying that night.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

IP scanning (3.50 / 2) (#15)
by rusty on Mon Jan 21, 2002 at 01:35:18 PM EST

It's not so surprising that you got scanned so quickly. Smart spammers and h4x0rs will tend to scan the customer blocks of large cable and DSL ISPs, because these are prime targets. They have good bandwidth, are always online, and are probably run by an incompetent admin. Not you, in this case, but the majority of them will be unsecured home Windows boxes. It's like cheetahs hunting at the waterhole.

____
Not the real rusty
sendmail (3.00 / 1) (#16)
by PresJPolk on Mon Jan 21, 2002 at 03:14:00 PM EST

Why don't you configure sendmail only to listen on your internal network (or localhost if it's just one box instead of on a LAN), so that attackers wouldn't even see your services to begin with?

sendmail is Hard... (3.00 / 1) (#20)
by ewhac on Mon Jan 21, 2002 at 07:23:37 PM EST

First, because I don't know how yet. Even the docs on M4-based configuration are tough to work through.

Second, because this box will eventually become the mail server for my domain, so allowing only localhost access would be a stopgap measure at best.

Schwab

[ Parent ]

yes sendmail is hard (4.50 / 2) (#21)
by labradore on Mon Jan 21, 2002 at 08:42:33 PM EST

I used sendmail until I switched to Debian. The default MTA in Debian is Exim. I was a little worried at the time I switched because I had never heard of Exim, but a short search for vulnerabilities showed that Exim has a better record than Sendmail. Then I looked at the documentation and I knew I was in for a much smoother ride with Exim. No M4. Configuration can still become complicated but not as hard as Sendmail IMO. The other plus side is that Debian has an excellent configuration system. Good luck with your box.

Related but not the same: I recently found out why it is a bad idea to host your own DNS server on the same box and/or network as your primary web and mail servers. My ISP recently recently changed my "static" IP on me and after more than a year of smooth sailing I have lost DNS for 3 days while I have set up primary and secondary nameservers elsewhere. Life sucks when you don't own your IPs. I hope that changes with IPv6.

[ Parent ]

exim better record (none / 0) (#26)
by PresJPolk on Tue Jan 22, 2002 at 11:22:27 AM EST

But, does exim have a better record becasue it's coded better, or does it have a better record because it's simply been attacked less, being less popular?

[ Parent ]
It may not really matter much... (none / 0) (#27)
by OmniGeek on Tue Jan 22, 2002 at 03:59:37 PM EST

In either case, there is SOME gain in security if the script crussies aren't executing attacks specific to your install. Maybe not much, but some...

[ Parent ]
Security through Obscurity (none / 0) (#29)
by PresJPolk on Tue Jan 22, 2002 at 04:18:49 PM EST

Well, the trick is we don't want to use the obscurity of exim as a substiute for a known level of security in sendmail.

Hm, sysadmins deserve good pay. This is hard work, keeping up, making the hard decisions. :-)

[ Parent ]
You might want to (4.00 / 1) (#22)
by fhotg on Mon Jan 21, 2002 at 08:47:37 PM EST

have a look at qmail, the MTA that made me frolicking.
~~~
Gitarren für die Mädchen -- Champagner für die Jungs

[ Parent ]
Sendmail? OpenBSD! (none / 0) (#34)
by phliar on Fri Jan 25, 2002 at 12:17:09 AM EST

...because I don't know how yet.
The docs on OpenBSD are excellent. (Actually, all the BSDs -- Linux is a pathetic loser when it comes to accurate and up-to-date documentation.)

...this box will eventually become the mail server for my domain, so allowing only localhost access...
The sendmail installation on OpenBSD is solid. You don't have to turn off the outside interface (like you say, a little hard to accept email if you can't get to sendmail from the outside!). If you want to do fancy stuff, configuring sendmail is hard; but if you're doing ordinary "accept email for me, don't allow spammer assholes to relay through me" then you don't have to change anything from the way OpenBSD sets it up for you.

A lot of my friends have DSL but are not very security conscious. I set up OpenBSD firewalls for all them, and also wrote a howto: Using OpenBSD 2.9 As A Firewall/Gateway for Home DSL or Cable -- it covers everything -- NAT, DHCP, DNS, NTP, sendmail etc.


Faster, faster, until the thrill of...
[ Parent ]

qmail! (4.00 / 2) (#25)
by niralth on Tue Jan 22, 2002 at 11:15:39 AM EST

qmail is a nice alternative to sendmail. Written by a guy who thought sendmail was too insecure, its pretty easy to configure and use. We use it at my company as the only mail server with no problems.

Check out qmail.org for lots of poorly organized documentation. Check out Life with qmail for a good, typical use explaination.



[ Parent ]
When you done that, look at Courier. (none / 0) (#41)
by static on Wed Feb 06, 2002 at 10:29:59 PM EST

Courier.

Uses qmail's maildir format but it rather saner to configure. Courier was written by someone who didn't like DJB's habit of ignoring patches.

Wade.

[ Parent ]

Postfix + FBSD easy as 1 2 3 (none / 0) (#33)
by thefatz on Thu Jan 24, 2002 at 08:27:39 AM EST

You say FreeBSD right. Ahh use the power of the ports.

Simple...
cd /usr/ports/mail/postfix-current
make install
make replace (to remove sendmail, install postfix)
(few little prompts pop up)

Then, edit /usr/local/etc/postfix/main.cf to your needs.

Great doc's for postfix at www.postfix.org.

Also you say new to Admin biz...ok cool, try this.

cd /usr/ports/sysutils/webmin
make install

That install webmin, a webgui driven peice of software that listens on port 10000, and can use ssl easy with FreeBSD (there will be a prompt to use ssl, just takes a bit more compile time, no biggie). Connect to your machine on port 10000 ... i.e. https://myfreebsdmachine:10000 and it shall ask for username and password, which it should ask you to setup when you do the make install. Webmin is nice for a novice to start tickling the system, and learning how some things work.

Hope this may help a bit, I think you will like the ports system....Ohh boy they sure are nice.


Move all MiG?
[ Parent ]
I got hit by Nimda (2.00 / 2) (#17)
by georgeha on Mon Jan 21, 2002 at 03:20:24 PM EST

within minutes of testing my dynamic DNS addy on my stock RedHat box. Firtunately the only people doing an nmap on it were nice (hi em).

I then started downloading OpenBSD, and when I go live with my dynamic dns server, it will be much more secure (and esoteric).

New Development (none / 0) (#23)
by ewhac on Mon Jan 21, 2002 at 09:15:36 PM EST

Now someone's messing with the SSH daemon on my box:

Jan 21 17:42:44 www sshd[309]: fatal: Timeout before authentication for 205.158.171.132.

The IP number is part of infolane.com's netblock.

Schwab

Similar story at Byte.com (none / 0) (#24)
by wiredog on Tue Jan 22, 2002 at 08:45:40 AM EST

Jon Udell got hit 45 minutes after his DSL line went live. The story at Byte

Peoples Front To Reunite Gondwanaland: "Stop the Laurasian Separatist Movement!"
My firewall is ALWAYS getting scanned (4.00 / 1) (#28)
by OmniGeek on Tue Jan 22, 2002 at 04:08:06 PM EST

I have a hardware firewall on my cable connection, cranked to maximum suspicion. Alas, the dumb thing won't remote log, so I cannot trace or log any of this, but I have noticed that the cable modem's activity light USUALLY blinks irregularly several times a minute, even when my attached systems are all off. I have concluded this is either 1) ARP traffic from the network routers, or 2) port scans by the baddies. Frankly, I'm morally certain it's Door Number 2...

As soon as I get an afternoon free, I plan to swap the hardware f'wall for a 486 running the Linux Router Project code, or else a locked-down RedHat 5.2 install with no services. Then I can watch the fun.

Door Number One (none / 0) (#32)
by Teribaen on Wed Jan 23, 2002 at 01:23:41 AM EST

I have concluded this is either 1) ARP traffic from the network routers, or 2) port scans by the baddies. Frankly, I'm morally certain it's Door Number 2...

It's probably door number one, or something like it. Every cable modem I've seen (most of them connected to Adelphia Powerlink) does that, including mine which has been connected to various logging firewalls over the last year.

Whatever traffic it is, it's something low level like ARP, not port scans. Bah, now you've got me curious and I'm going to have to find out.

[ Parent ]

It can vary depending on your DSL line (none / 0) (#36)
by BeBoxer on Fri Jan 25, 2002 at 08:19:53 PM EST

It depends a little bit on how your DSL line is configured. Mine is set up in a 'bridge' mode, so I tend to see a lot of spurious broadcast traffic. There is pretty much a continuous trickle of ARP requests coming down my line. Not enough to impact thruput at all, but enough to make sure my activity lights are never quiet for more than a few seconds. Now if your DSL modem is acting as a router, the only broadcast traffic on the line should be the packets between your router and your upstream router. With only two devices talking directly to each other on a /30 network the amount of broadcast traffic can be pretty minimal. Or the routers can be talking any number of chatty routing protocols to keep things going. The only way to know for sure is to look at the packets. I've got a second NIC hooked into a hub between my Linksys router/NAT box and my DSL modem, so I've run ethereal a few times just to see what the 'background' noise level is like. It's almost entirely random ARPs for other people connected to my ISP.

[ Parent ]
Better still. (none / 0) (#40)
by sgp on Mon Jan 28, 2002 at 01:39:04 AM EST

Not no services, enable things like Sendmail, but configured to deny everything. That way you get logs of attempts.

There are 10 types of people in the world:
Those who understand binary, and those who don't.

[ Parent ]

Run a firewall (none / 0) (#30)
by GuyZero on Tue Jan 22, 2002 at 05:16:32 PM EST

All the more reason to get an old/cheap box and run a firewall.

If you're familiar with such things almost any Linux or *BSD distribution can be configured to block ports, do NAT, etc.

If you're not good with things, get something like Smoothwall which is a pretty decent free, Linux-based firewall. Now, the Smoothwall developers' attitudes leave something to be desired, but there's no doubt that it's a good product with a very slick UI. I've got it running on an old 486/66 with 16 megs of RAM and its old 500 meg hard drive - a lot of machine for a firewall maybe, but I had it sitting around and you could by a used machine like this at a lot of places for $25 probably.

Smoothwall probably isn't impenetrable, but it will block lame portscans and attempts to hijack your SMTP relay. It will forward ports from the firewall to boxes inside, it auto-registers with a variety of dynamic DNS providers, etc, etc. Get it or something like it.



A simple NAT router... (none / 0) (#31)
by Zapata on Tue Jan 22, 2002 at 09:40:29 PM EST

will deny 99.99% of these attacks. Mine has done a fine job of keeping idiots out of my home network. I watch the logs and think "Ha-ha, you loose."

"If you ain't got a camel, you ain't Shiite."


Adminspotting (none / 0) (#38)
by wagadog on Sun Jan 27, 2002 at 08:29:12 PM EST

Just wait till you see your first r00tkit. Then you'll be paranoid!

Choosy Admins Choose Adminspotting



Good Gravy, That was Quick! | 41 comments (33 topical, 8 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!